stanza-plugins/plugins/netflow.yaml at main · observIQ/stanza-plugins · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Plugin Info
version: 0.0.3
title: Netflow
description: Log parser for Netflow
min_stanza_version: 1.1.0
parameters:
  - name: listen_port
    label: Listen Port
    description: A port which the agent will listen for syslog messages
    type: int
    default: 2055
  - name: netflow_version
    label: Netflow Version
    description: The netflow version (`v5`, `v9 / IPFIX`)
    type: enum
    valid_values:
      - v5
      - ipfix
    required: true
  - name: sampling_enable
    label: Sampling
    description: Enable Netflow sampling
    type: bool
    default: false
  - name: sampling_drop_rate
    label: Sampling Drop Rate
    description: The probability an entry is dropped. A value of 1.0 will drop 100% of matching entries, while a value of 0.0 will drop 0%.
    type: enum
    valid_values:
      - 0.0
      - 0.1
      - 0.2
      - 0.3
      - 0.4
      - 0.5
      - 0.6
      - 0.7
      - 0.8
      - 0.9
      - 1.0
    relevant_if:
      sampling_enable:
        equals: true
  - name: listen_ip
    label: Listen IP
    description: A syslog ip address of the form `<ip>`
    type: string
    default: "0.0.0.0"
    advanced_config: true
  - name: listen_address
    label: Listen Address
    description: Parameter Deprecated Use 'listen_ip' and 'listen_port' instead.
    type: string
    default: ""
    advanced_config: true
    hidden: true

# Set Defaults
# {{$listen_address := default "" .listen_address}}
# {{$length := len $listen_address}}
# {{$listen_ip := default "0.0.0.0" .listen_ip}}
# {{$listen_port := default 2055 .listen_port}}
# {{$netflow_version := default "ipfix" .netflow_version}}
# {{$sampling_enable := default false .sampling_enable}}
# {{$sampling_drop_rate := default 0.0 .sampling_drop_rate}}

# Pipeline Template
pipeline:
- type: goflow_input
  mode: '{{ if eq $netflow_version "v5" }}netflow_v5{{ else if eq $netflow_version "ipfix" }}netflow_ipfix{{ end }}'
  listen_address: '{{ if eq $length 0 }}{{ $listen_ip }}:{{ $listen_port }}{{ else }}{{ $listen_address }}{{ end }}'
  labels:
    log_type: netflow
    plugin_id: {{ .id }}
    netflow_version: {{ $netflow_version  }}

# {{ if $sampling_enable }}
- type: filter
  expr: 'true'
  drop_ratio: {{ $sampling_drop_rate }}
# {{ end }}

# Remove goflow specific field
- type: remove
  field: $record.type
  output: {{ .output }}